From d222d4502acdf9d235880d3675d2dcf7f18e1d85 Mon Sep 17 00:00:00 2001 From: kolaente Date: Sat, 21 Feb 2026 23:52:31 +0100 Subject: [PATCH] fix: escape attachment download filename --- pkg/routes/api/v1/task_attachment.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/routes/api/v1/task_attachment.go b/pkg/routes/api/v1/task_attachment.go index 5be5a2132..cc1e8ae69 100644 --- a/pkg/routes/api/v1/task_attachment.go +++ b/pkg/routes/api/v1/task_attachment.go @@ -210,7 +210,9 @@ func GetTaskAttachment(c *echo.Context) error { mimeToReturn = "application/octet-stream" } - c.Response().Header().Set("Content-Disposition", "attachment; filename=\""+taskAttachment.File.Name+"\"") + filename := strings.ReplaceAll(taskAttachment.File.Name, `"`, `\"`) + + c.Response().Header().Set("Content-Disposition", "attachment; filename=\""+filename+"\"") c.Response().Header().Set("Content-Type", mimeToReturn) c.Response().Header().Set("Content-Length", strconv.FormatUint(taskAttachment.File.Size, 10)) c.Response().Header().Set("Last-Modified", taskAttachment.File.Created.UTC().Format(http.TimeFormat))